Computer Technology Update

BY MALCOLM H. MORRISON, PhD

HIPAA covered entities are defined as health plans and healthcare providers involved in certain electronic transactions and healthcare clearinghouses. The general HIPAA Privacy Rule states that covered entities may not use or disclose PHI except as authorized by the individual described by the information or as explicitly required or permitted by regulation. When the use or disclosure of PHI is permitted, usually only the minimum necessary PHI needed to accomplish the intended purpose may be provided.

Individually identifiable health information is information created or received by a healthcare provider, health plan, public health authority, employer, life insurer, school, university, or healthcare clearinghouse that relates to the past, present, or future physical or mental health or condition of an individual, the healthcare provided to that individual, or past, present, or future reimbursement for that healthcare. Specific identifiers, pertaining not only to the individual but to relatives, employers, or household members, include: name, address, any date identifiable to the individual (e.g., birth date, treatment date, discharge date), Social Security number, medical record number, health plan benefit number, telephone or fax number, account number, vehicle identification or license plate number, e-mail address, and any other individually identifying number, characteristic, or code.

As alluded to earlier, some disclosure is permitted. Health plans may use or disclose PHI for treatment, reimbursement, or healthcare operations without the individual’s consent or authorization. These exceptions are broadly defined but, as with all the material in this article, the provider should check with a HIPAA-conversant attorney about the full meaning of these terms.

Individuals have certain rights under the privacy rules with regard to their own PHI. An individual can request access to and obtain copies of his or her PHI, request that the provider amend his or her PHI, request an accounting of disclosures of his or her PHI or, within limits, restrict the use and disclosure of his or her PHI. In addition, the provider must adopt and document policies and procedures with respect to individual rights under the HIPAA privacy rules.

The final Privacy Rule issued late last year (2002) made several important modifications to the original-it specifically:

• eliminates the requirement that providers obtain con-sent for treatment, payment, or healthcare operations; rather, providers will need to make a good-faith effort to obtain a patient’s written acknowledgment of receipt of the provider’s notice of privacy practices (assuming, of course, that the provider has created such a notice). If an acknowledgment cannot be obtained, the provider must document its good-faith efforts to obtain the acknowledgment and the reasons it was not obtained. The rule does not prescribe the form of the written acknowledgment, and the preamble to the rule suggests that the requirement may be satisfied by requiring a patient to initial the notice, sign a list, or complete a separate document. The preamble also suggests that covered entities may use a “layered notice” comprised of a short summary of the individual’s rights with a longer notice underneath that contains all the elements required by the Privacy Rule. Legal assistance is recommended;
• permits incidental uses and disclosures of PHI subject to certain conditions (check with your attorney);
• requires a signed authorization before using a patient’s PHI in a “marketing communication” (and the definition of “marketing” includes significant exceptions);
• streamlines the authorization requirements;
• simplifies the requirements for a waiver of authorization to use PHI for research and makes them more consistent with the “Common Rule” that applies to many federally funded research programs; and
• allows use and disclosure of limited data sets for research, public health, or healthcare operations without patient authorization if certain requirements are met.

Under the rule, covered entities will still be required to obtain an individual’s authorization for uses and disclosures of PHI. The rule requires this authorization to include the following core elements:

• a description of the PHI to be used or disclosed;
• an identification of the persons or class of persons authorized to request the disclosure;
• a description of each purpose of the requested use or disclosure;
• an expiration date or event related to the disclosure;
• the signature of the individual or the individual’s authorized personal representative, and date; and
• if signed by a personal representative, a description of the representative’s authority to act for the individual.

In addition to these core elements, the authorization must contain the following notification statements and must be written in plain language:

• a statement that the individual has the right to revoke the authorization;
• a statement regarding the ability or inability of the covered entity to condition treatment, payment, enrollment, or eligibility for benefits on the individual’s authorization, giving the reasons and explaining the consequences; and
• a statement regarding the potential for information disclosed to be redisclosed by the recipient and, thus, outside the protection of the Privacy Rule.

HIPAA Software
Many readers may have seen or heard by now information/advertisements about “HIPAA software” or “HIPAA-compliant software.” One group of products provides HIPAA-related rules and regulations, forms, and compliance materials in a training context. Before purchasing such materials (whether in software or hard-copy form), it is recommended that you seek legal advice and guidance on their general appropriateness. “HIPAA-compliant” software packages are often designed to provide privacy protection for electronic data files functioning through facilities’ existing software packages. Before considering these types of “add-on” software applications, each organization should consult with its current software vendors to ascertain their products’ HIPAA compliance and determine whether any external software is, in fact, required. If so, it should then be determined whether particular add-on packages are compatible with the facility’s existing software.

In general, it is important to recognize that although HIPAA’s privacy requirements do cover electronic data, protection of all PHI (electronically maintained or otherwise) is required, and many HIPAA-compliance steps may not involve electronic processes. At a minimum, each organization should review the security of electronic PHI to ensure compliance with HIPAA privacy regulations.

Online Resources
There is a great deal of information concerning HIPAA available on the Internet. Some valuable sites include:

• Healthcare Intelligence Network, HIPAA Library, www.hin.com

• United States Department of Health and Human Services, www.hhs.gov

• Idaho Department of Health and Welfare, www.state.id.us/dhw/hipaa

• Washington State Department of Social and Health Services, https://maa.dshs.wa.gov/dshshipaa

• VIPS, www.vips.com/hipaa/index.html

• HCPro, www.himinfo.com

• American Health Information Management Association, www.ahima.org NH